Loading...

Knowledge Center


Access Protection is disabled when there is an invalid character within a rule
Technical Articles ID:   KB83808
Last Modified:  8/6/2015

Environment

VirusScan Enterprise 8.8 Patch 4 + HF929019
ePolicy Orchestrator (ePO)

Video Tutorial

Problem

Access protection is not enforcing any rules after modifying either of the following access protection rules via ePolicy Orchestrator:
  • Prevent termination of McAfee processes
  • Protect cached files from password and email address stealers
When either of these access protection rules is modified, the policy becomes corrupt because of an incorrect translation of a system variable. When that corruption reaches the client system, Access Protection becomes ineffective; you still cannot stop protected services, but you can terminate their processes.

The same symptom can be induced by purposefully creating a rule containing the invalid forward slash (/) character as the first character of a process to exclude.

System Change

One of the following access protection rules was modified:
  • Prevent termination of McAfee processes
  • Protect cached files from password and email address stealers

A rule was created to exclude a process beginning with "/." 

Cause

Two failure points cause this issue to occur:
  • At the ePO server, modifying either of two specific rules (because they contain reference to the Windows system variable), and saving that rule writes an incorrect value to the database as part of the modified policy. Specifically, a path to a process name begins with a "/" character. The affected process name entry was meant to refer to "C:/Windows/System32/<process name>.exe" (where <process name> is a legitimate Windows process found in the System32 folder), but instead the process is referred to using a truncated path, "/system32/<process name>.exe"
  • At the client system where VSE 8.8 Patch 4 + HF929019 is installed, reading the access protection rule encounters the unexpected "/" character, and error handling causes all Access Protection rules for the VSE product to be ignored.

    The effective result is the disabling of Access Protection.
The error handling differs from prior releases because HF929019 introduces a new technology for enforcing access protection called Arbitrary Access Control (AAC), which does not handle the corrupt policy in the same way. Patch 5 will handle the corrupt policy in the same way as prior releases.

Solution

VSE 8.8 patch 5 includes an updated extension as well as updated client code to solve this issue.

Updates are available when you log on to the ServicePortal at: https://support.mcafee.com/downloads.

Workaround

Modify the access protection policy that contains the invalid character entry. If you are unsure which rule has the corrupted data, first inspect these rules:
  • Prevent termination of McAfee processes
  • Protect cached files from password and email address stealers

Next, check all user-defined access protection rules and identify any references to process names that begin with a "/" character.

Correct all found instances to refer to the full path ("C:\folder\processname.exe"), or to remove that path and refer to the process name only.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.